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Abstract. We introduce the notion of "5-complete decision procedures" 
for solving SMT problems over the real numbers, with the aim of handling 
a wide range of nonhnear functions including transcendental functions 
and solutions of Lipschitz-continuous ODEs. Given an SMT problem ip 
and a positive rational number 5, a (5-complete decision procedure de- 
termines either that tp is unsatisfiable, or that the "5-weakening" of ip 
is satisfiable. Here, the 5-weakening of (/p is a variant of tp that allows 
5-bounded numerical perturbations on ip. We prove the existence of 8- 
complete decision procedures for bounded SMT over reals with functions 
mentioned above. For functions in Type 2 complexity class C, under 
mild assumptions, the bounded 5-SMT problem is in NP'^. This stands 
in sharp contrast to the well-known undecidability results. (5-Complete 
decision procedures can exploit scalable numerical methods for handling 
nonlinearity, and we propose to use this notion as an ideal requirement 
for numerically-driven decision procedures. As a concrete example, we 
formally analyze the DPLL(ICP) framework, which integrates Interval 
Constraint Propagation (ICP) in DPLL(T), and establish necessary and 
sufficient conditions for its 5-completeness. We discuss practical applica- 
tions of 5-complete decision procedures for correctness-critical applica- 
tions including formal verification and theorem proving. 



1 Introduction 

Given a first-order signature C and a structure M. , the Satisfiability Modulo The- 
ories (SMT) problem asks whether a quantifier-free £-formula is satisfiable over 
A^, or equivalently, whether an existential £-sentence is true in M.. Solvers for 
SMT problems have become the key enabling technology in formal verification 
and related areas. SMT problems over the real numbers are of particular inter- 
est, because of their importance in verification and design of hybrid systems, 
as well as in theorem proving. While efficient algorithms [10] exist for decid- 
ing SMT problems with only linear real arithmetic, practical problems normally 
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contain nonlinear polynomials, transcendental functions, and diflFerential equa- 
tions. Solving formulas with these functions is inherently intractable. Decision 
algorithms [9] for formulas with nonlinear polynomials have very high complex- 
ity [6]. When the sine function is involved, the SMT problem is undecidable, and 

only partial algorithms can be developed [2, 1]. 

Recently much attention has been given to developing practical solvers that 
incorporate scalable numerical computations. Examples of numerical algorithms 
that have been exploited inchidc optimization algorithms [4,27], intcrval-bascid 
algorithms [13,11,12,16], Bernstein polynomials [25], and linearization algo- 
rithms [14]. These solvers have shown promising results on various nonlinear 
benchmarks in terms of scalability. 

However, for correctness-critical problems, there is always the concern that 
numerical errors can result in incorrect answers from numerically-driven solvers. 
For example, safety problems for hybrid systems can not be decided by numeri- 
cal methods [28]. The problem is compoimded by, for instance, the difficiilty in 
understanding the effect of floating-point arithmetic in place of exact computa- 
tion. There are two common ways of addressing these concerns. One is to use 
exact versions of the numerical algorithms, replacing floating-point operations 
by exact symbolic arithmetic [25]; the other is to use post-processing (validation) 
procedures to ensure that only correct results are returned. Both options reduce 
the full power of numerical algorithms and arc usually hard to implement as 
well. For instance, in the Flyspeck project [18] for the formal proof of the Kepler 
conjecture, validating the numerical procedures used in the original proof turns 
out to be the hardest computational part (and unfinished yet). In general, there 
has been no framework for understanding the actual performance guarantees of 
numerical algorithms in the context of decision problems. 

In this paper we aim to fill this gap by formally establishing the applicability 
of numerical algorithms in decision procedures, and the correctness guarantees 
they can actually provide. We do this as follows. 

First, we introduce "the (5-SMT problem" over real numbers, to capture what 
can in fact be correctly solved by numerically-driven procedures. Given an SMT 
formula ip, and any positive rational number S, the 5-SMT problem asks for one 
of the following decisions: 

— unsat: (p is unsatisfiable. 

— (5-sat: The 5-weakening of (fi is satisfiable. 

Here, the 5-weakening of ip is defined as a numerical relaxation of the original 
formula. For instance, the (5-weakening of x = is |x] < S. Note that if a formula 
is satisfiable, its ^-weakening is always satisfiable. Thus, when a formula is 5-sat, 
either it is indeed satisfiable, or it is unsatisfiable but a (5-perturbation on its 
numerical terms would make it satisfiable. The eflFect of this slight relaxation 
is striking. In sharp contrast to the undecidability of SMT for any signature 
extending real arithmetic by sine, we show that the bounded 5-SMT problem 
for a wide range of nonlinear functions is decidable. In fact, we show that the 
bounded (5-SMT problem for the theory with exponentiation and trigonometric 



functions is NP-complete, and PSPACE-complete for theories with Lipschitz- 
continuous ODEs. We obtain these results using techniques from computable 
analysis [30, 5] . These results serve as the theoretical basis for our investigation 
of numerically-driven procedures. 

Next, if a decision algorithm can solve the (5-SMT problem correctly, we say 
it is "5-complete" . We propose to use (5-completeness as the ideal correctness re- 
quirement on numerically- driven procedures, replacing the conventional notion 
of complete solvers (which can never be met in this context). This new notion 
makes it worthwhile to develop formally analyze numerical methods for decision 
problems and compare their strength, instead of viewing them as partial heuris- 
tics. As an example, we study DPLL(ICP), the integration of Interval Constraint 
Propagation (ICP) [19] in DPLL(T) [24]. It is a general solving framework for 
nonlinear formulas and has shown promising results [13, 16, 12]. We obtain con- 
ditions that are sufficient and necessary for the ^-completeness of DPLL(ICP). 

Further, we show the applicability of 5-complete procedures in correctness- 
critical practical problems. In bounded model checking [7, 8], using a (5-complete 
solver we return one of the following answers: either a system is absolutely safe 
up to some depth (unsat answers), or it would become unsafe under some S- 
boimded numerical perturbations (S-sat answers). Since S can be made very 
small, in the latter case the algorithm is essentially detecting robustness problems 
in the system: If a system would be unsafe under some small perturbations, it 
can hardly be regarded as safe in practice. Similar guarantees can be given for 
invariant validation and theorem proving. The conclusion is that, under suitable 
interpretations, the answers of numerically-driven decision procedures can indeed 
be relied on in correctness-critical applications, as long as they are (5-complete. 

Related Work. Our goal is to provide a formal basis for the promising trend 
of numerically-driven decision procedures [4, 27, 13, 11, 12, 16, 25, 14]. Related at- 
tempt can be seen in Ratschan's work [29] , in which he investigated the stability 
of first-order constraints under numerical perturbations. Our approach is, in- 
stead, to take numerical perturbations as a given and study its implications in 
practical applications. Results in this paper are related to our more theoretical 
results [15] for arbitrarily-quantified sentences, where we do not analyze practical 
procedures. A preliminary notion of (5-completeness was proposed by us earlier 
in [16] where only polynomials are considered. 

The paper is organizcid as follows. In Section 2 and 3 we define the bounded 
(5-SMT problem and establish its decidability and complexity. In Section 4 we 
formally analyze DPLL(ICP) and discuss applications in Section 5. 

2 SMT with Type 2 Computable Functions 
2.1 Basics of Computable Analysis 

Real numbers can be encoded as infinite strings, and a computability theory of 
real functions can be developed with oracle machines that perform operations 
using function-oracles encoding real numbers. This is the approach developed 



in Computable Analysis or Type 2 Computability [30,22,5]. We briefly review 
results of importance to us. 

Throughout the paper we use || • || to denote || • ||oo over R" for various n. 

Definition 2.1 (Names). A name o/ a G M is any function 7a : N ^> Q 
satisfying that Vi £ N, \ja{i) - a\ < For a £ M", 7o(«) = (7ai 7a„ («))• 

Thus the name of a real number is a sequence of rational numbers converging 
to it. For a € M", we write r{a) = {7 : 7 is a name of a}. 

A real function / is computable if there is an oracle Turing machine that can 
take any argument x of / as a function oracle, and output the value of f{x) up 
to an arbitrary precision. 

Definition 2.2 (Computable Functions). We say / :C K" ^ M is com- 
putable if there exists a function- oracle Turing machine Aif, outputting rational 
numbers, such that \/x £ dom(/) Vj^ G r{x) V« G N, \M^'°{i) - ,f{x)\ < 2~\ 

In the definition, i specifies the desired error bound on the output of Mf 
with respect to f{x). For any x G dom(/), Mf has access to an oracle encoding 
the name of x, and output a 2~*-approximation of f{x). In other words, the 
sequence M'J" (1), M'J" (2), ... is a name of f{x). Intuitively, / is computable if an 
arbitrarily good approximation of f{x) can be obtained using any good enough 
approximation to any x G dom(/). A key property of this notion of computability 
is that computable functions over reals are continuous [30]. Moreover, over any 
compact set Z) C M", computable functions are uniformly continuous with a 
computable modulus of continuity deflned as follows. 

Definition 2.3 (Uniform Modulus of Continuity). Let / :C R" ^ R 6e a 

function and D C dom(/) a compact set. The function m/ : N — >■ N is called a 
uniform modulus of continuity of f on D ifMx, y G D,yi gN, ||a;— y|| < 2~'^f^^^ 
implies \f{x) - f{y)\ < 2"'. 

Proposition 2.1 ([30]). Let / :C R" -> R k computable and D C dom(/) a 
compact set. Then f has a computable uniform modulus of continuity over D. 

Intuitively, if a function has a computable uniform modulus of continuity, then 
fixing any desired error bound 2~* on the outputs, we can compute a global pre- 
cision 2~™^(') on the inputs from D such that using any 2""*-'' (''-approximation 
of any x £ D, f{x) can be computed within the error bound. 

Most common continuous real functions are computable [30] . Addition, multi- 
plication, absolute value, min, max, exp, sin and solutions of Lipschitz-continuous 
ordinary differential equations are all computable functions. Compositions of 
computable functions are computable. 

Moreover, complexity of real functions can be defined over compact domains. 

Definition 2.4 ([23]). Let D C be compact. A real function f : D ^ R 

is P- computable (PSP ACE- computable), if it is computable by an oracle Turing 
machine Mj'^^^i) that halts in polynomial-time (polynomial- space) for every 
i gN and every x G dom(/). 



We say / is in Type 2 complexity class C if it is C-computable. / is C-complete 
if it is C-computable and C-liard [22]. If / : D — >■ M is C-computable, then it has 
a C-computable modulus of continuity over D. Polynomials, exp, and sin are all 
P-computable functions. A recent result [21] established that the complexity of 
computing solutions of Lipschitz-continuous ODEs over compact domains is a 
PSPACE-complete problem. 

2.2 Bounded SMT over Ry^ 

We now let J- denote an arbitrary collection of Type 2 computable functions. Cjr 
denotes the first-order signature and Mjf is the standard structure (K, We 
can then consider the SMT problem over R^, namely, satisfiability of quantifier- 
free formulas over Mjr. We consider formulas whose variables take values 
from bounded intervals. Because of this, it is more convenient to directly write 
the bounds on existential quantifiers and express bounded SMT problems as 
Ui-sentences with bounded quantifiers. 

Definition 2.5 (Bounded Z'l-Sentences). A bounded Si-sentence in Cp is 
ip : 3^^xi---3^"Xn.ip{xi,...,x„). 

— For all i, li C R is a bounded (open or closed) interval with rational end- 
points. 

— Each bounded quantifier 3^'Xi.(f) denotes 3xi.{xi G li A </>). 

— il}{xi, ...,Xn) is a quantifier-free Cjr-formula, i.e., a Boolean combination of 
atomic formulas of the form f{xi,...,Xn) o 0, where f is a composition of 
functions in T and o g {<, <, >, >, =, 

— We write dom(i^) = /i x • • • x 7„, and require that all the functions occurring 
in 'ip{x) are defined everywhere over its closure dom(</?). 

We can write a bounded Si-sentence as 3^x.^p{x) for short. 

Lemma 2.1 (Standard Form). Any bounded Si- sentence </? in Lj: is equiva- 
lent over M.jr to a sentence of the following form: 

m ki 

3^^a;i---3^"x„ /\{\J f,j{x) = 0). 

i=i ]=i 

Proof. Assume that f is originally 3^x Ai=i(V^=i 9iji^) where o g {<, < 
,>,>,=, ^}. We apply the following transformations: 

1. (Eliminate ^) Substitute each atomic formula of the form gij ^ by 

gij < V gij > 0. 

2. (Eliminate <, <) Substitute gij < by —gij > 0, and gij < by —gij > 0. 
Now the formula is rewritten to .9ij(a;)o0), where o g {>,>,=}. 
{gij = —gij if the inequality is reversed; otherwise g^j = gij.) 

3. (Eliminate >, >) Substitute g'ij > (or g'^j > 0) by g'ij — Vij = 0, where 
Vij is a newly introduced variable, and add an innermost bounded existential 



quantifier 3vij e J^.^, where ly,. = [0,m„,J (/„ = (0,m„,J). Here, niy,. G Q 
is any value greater than the maximum of g^j over dom((^). Note that such 
maximum of g'^j always exists over dom((/3), since g^j is continuous on dom{ip), 
which is a compact, and is computable [22]. 

The formula is now in the form B'ccB'"?;. Ai^i(Vj=i /ii(^>'^) = 0), where 
/,j = glj—Vij if has been introduced in the previous step; otherwise, fij = g'^y 
The new formula is in the standard form and equivalent to the original. □ 

Example 2.1. A standard form of 3[~-'^'^l.TE|[^^'^)?y3[^^^^lz [e^ < x ~^ y < sin(a;)) 
is 3[-i'ila;3[-i'ily3[-i'ilz3[o^i"lu3(0'iolw {e/- - x - u = 0) \J (sin(a;) -y-v = 0). 

Recall that we allow the interval bounds on variables to be either open or 
closed. Let S and S" denote the closure and interior of any set S over the reals. 
Based on our need we can consider the closure or the interior of the domains in 

a Z'l-sentcnce. 

Definition 2.6 (Closure and Interior). Let ip := 3^^xx ■ ■ - B^^Xn-ipix) be a 
bounded Ei -sentence in Cjr, we define the closure and interior of as: 

If := 3'''^xi- ■ -3^" Xn.ip{x) (Closure) 
(p° := 3"^! xi • • • 3^"x„.'0(a3) (Interior) 

Proposition 2.2. For any Si-sentence (f, ^ (p and ip —^Tp. 
3 The Bounded 5-SMT Problem 

The key for bridging numerical procedures and SMT problems is to introduce 
syntactic perturbations on Ui-sentences in jCj^. 

Definition 3.1 (5- Weakening and Perturbations). Let 5 G U {0} be a 

constant and (p be a Si -sentence in standard form: 

rn ki 

3'x./\{\/f.j{x) = 0). 

1=1 j=i 

The 6-weakening of (p defined as: 

m k 

/ := 3'x./\{\J\f,,{x)\<5). 

Also, a 6 -perturbation is a constant vector c = (cn, Cmkm)' ^ij ^ satisfying 
\\c\\ < 5, such that the c-perturbed form of (p is given by: 

m k 

3'x./\{\/ f,j{x)=c,j). 



Proposition 3.1. is true iff there exists a 5 -perturbation c such that Lp'^ is 
true. In particular, c can he the zero vector, and thus ^ ip^ . 

We now define the bounded (5-SMT problem. We follow the convention that 
SMT solvers return sat/unsat, which is equivalent to the corresponding Ei- 

sentence being true/false. 

Definition 3.2 (Bounded (5-SMT in Cj^). Let be a finite collection of Type 
2 computable functions. Let if be a bounded Si -sentence in Lj: in standard form. 
The bounded 5- SMT problem asks for one of the following two decisions on (p: 

— unsat : ip is false. 

— (5-sat : ip^ is true. 

When the two cases overlap, either decision can he returned. 

Our main theoretical claim is that the bounded 5-SMT problem is decidable 
for d e Q"*". This is essentially a special case of our more general results for 
arbitrarily-quantified £jr-sentences [15]. However, different from [15], here we 
defined the standard forms of SMT problems to contain only equalities in the 
matrix, on which the original proof does not work directly. Also, in [15] we relied 
on results from computable analysis that are not needed here. We now give a 
direct proof for the decidability of (5-SMT and analyze its complexity. 

Theorem 3.1 (Decidability). LetT he a finite collection of Type 2 computable 
functions and S G Q+ . The bounded 5-SMT problem in Cj: is decidable. 

Proof. We describe a decision procedure which, given any bounded Ui-sentence 
(/3 in Cjr and 5 G Q+, decides whether ip is false or ^p^ is true. Assume that <^ is 
in the form of Definition 3.1. 

First, we need a uniform bound on all the variables so that a modulus of 
continuity for each function can be computed. Suppose each Xi is bounded by 
li, whose closure is li = [li, u.i\. We write 

m ki 

Ip := 3[0'ila;i • ■ • B^^^^^x^ f\ ( V fij {h + {ui - h)xi, In + («n - Ijxn) = 0). 
i=i j=i 

From now on, gij = fij{li + (ui — In + — ln)xn)- After the transfor- 

mation, we have dom((p) = [0, 1] x • • • x [0, 1], on which each gij is computable 
(it is a composition of the finitely many computable functions in T) and has a 
computable modulus of continuity mg^y We write ij^ix) to denote the matrix of 
ip> after the transformation. 

Choose r e N such that 2"'' < (5/4. Then for each gij, we use m^y to obtain 
e,j = mg^^^r). Choose e G N such that 

e > max(eii,...,emfc^) (1) 

and write e = 2~^. We then have 

\lx,y e dom{ip) {\\x-y\\ <e^ \9ii{x) - gij{y)\ < (5/4). (2) 



We now consider a finite e-net of dom{ip), i.e., a finite C dom.{ip), satisfying 



Va; e dom((^) 3a € Se \\x - a\\ < e. (3) 

In fact, Se can be explicitly defined as 

Ss = {{ai, a„):ai = k- s, where fc G N, < fc < 2^}. (4) 

Next, we evaluate the matrix tp{x) on each point in S^, as follows. Let a e 5^ be 
arbitrary. For each gij in ip, we compute gij{a) up to an error bound of 5/8, and 

write the result of the evaluation as gij (a) . Then \gij{a) - gij (a) \ < 6/8. 

Note gij (a) is a rational number. We then define 

m ki 

k^):= f\\/\^f'\<6/2. (5) 
i=i j=i 

Then for each a, evaluating ip{a) only involves comparison of rational numbers 
and Boolean evaluation, and 'ipia) is either true or false. Now, by collecting the 
value of tp on every point in 5*^, we have the following two cases. 

• Case 1: For some a € Sg, 'tp{a) is true. We show that (f^ is true. Note that 

m ki m ki 

ka) ^ l\\J < 5/2 ^ A V < ^ ■ 5/8- 

i=l j=l i=l j=l 

We need to be careful about a, since it is an element in dom((^), not dom(</?). If 
a e dom((p), then (f^ is true, witnessed by a. Otherwise, a E 9(dom((p)). Then 
by continuity of g^, there exists a' £ dom{<f) such that Alii V^Li \flij{<i')\ < S. 
(Just let a small enough ball around a intersect doni((p) at a'.) That means (p^ 
is also true in this case, witnessed by a'. 

• Case 2: For every a € S^, il){a) is false. We show that is false. Note that 

m ki m ki 

^i>{a) ^ V A I > V2 ^ V A > -5 • 3/8. 

i=l j=l i=lj=l 

Now recall condition (2) and (3). For an arbitrary x G dom{(p), there exists 
a € such that \gij(x) — gij{a)\ < (5/4 for every gij. Consequently, we have 
\g,^{x)\ > 5-3/8- 5/4: = 5/8. Thus, £ dom((/p), Vlli A,ti > 0. This 

means -^(p is true, and ip is false. 

In all, the procedure that decides either that (p^ is true, or that cp is false. □ 

We now analyze the complexity of the i5-SMT problem. The decision proce- 
dure given above essentially evaluates the formula on each sample point. Thus, 
given an oracle for evaluating the functions, we can construct a nondeterministic 
Turing machine that randomly picks the sample points and decides the formula. 



Most of the functions we are interested in (exp, sin, ODEs) are in Type 2 
complexity class P or PS PACE. To prove interesting complexity results, a techni- 
cal restriction is that we need to boimd the number of function compositions in 
a formula, because otherwise evaluating nested polynomial-time functions can 
be exponential in the number of nesting. Formally we define: 

Definition 3.3 (Uniformly Bounded i7i-class). LetJ^ be a finite set of Type 

2 computable functions, and S a class of bounded Si-sentences in Cjr. Let l,u € 
Q satisfy I < u. We say S is uniformly (I, u, J- ) -bounded, if^^p G S of the form 

- yi < i < n, li C [l,u]. 

— Each fij{x) is contained in T . 

Proposition 3.2 ([22]). Let C be a Type 2 complexity class contained in PSPACE. 

Then given any compact domain D , a C-computable function has a uniform mod- 
ulus of continuity over D given by a polynomial function. 

We are now ready to prove the main complexity claim. 

Theorem 3.2 (Complexity). Let F be a finite set of functions in Type 2 
complexity class C, P C C C PSPACE. The 5 -SMT problem for uniformly bounded 
El -classes in Hj: is in NP^. 

Proof. We describe a nondeterministic Turing machine with a function oracle 
of complexity C, that can decide in polynomial-time the J-SMT problem for a 
uniformly bounded class. 

The function oracle Q we use behaves as follows. Given strings s, and d on 
the query tape, ^(s, d) looks up the function fs & encoded by s and returns 
the value of fs{xt) up to an error bound of 2"'', where Xt is a rational vector 
encoded by t taken as the argument of fg. Since all the functions in T are in 
complexity class C, 6{s, t, d) is a C-oracle. 

For any symbol s, wc write len{s) to denote its bit-length. For an integer i, we 
know len{i) = 0{\og{i)). For a rational number d, which is the ratio of coprime 
integers p and q, len{d) = 0{len{p) -\- len{q)) = Oi\og{pq)). For a function /, 
len{f) is the length of its name. We write 0(poly(n)) to denote [Ji^O{n^). 

Let If be the input formula as in Definition 3.1, where each fij € J^. Suppose 
93 is in a uniformly (/, u, .F)-bounded class. 

First, we observe that e, defined in (1), can be obtained in time 0(poly(/f3«((^)-|- 
len{5))), and e = 0{po\y{len{(fi) + len{5))) (thus len{e) = 0{len{(p) -{- len{6))). 
This can be seen as follows. First, 2""" < 5, we know r = O(log(5)) = 0{len{5)). 
Then for each /y , we use its uniform modulus of continuity over given 
by a polynomial nif^. (Proposition 3.2), and obtain e/^ = mf..{r), in time 
0{po\y{len{r))) and — 0(poly(r)). Then we compute Cij for the function 
gij by scaling e{j, using Cij = [- log(2~''^;/ maxi<j<„{wj - I,})]. Thus Cij = 
0{e{j -h log(maxi(wi — k))) = 0{po\y{len{S) -\- len{(p))). Finally, let e be the 



biggest Cij. It is then clear that e = 0{po\y{len{(p) + len{6))), obtainable in 
polynomial time. 

Next, our procedure evaluates the matrix of the formula on each point a € S^. 
Note from (4) that Se is of size exponential in e. Here we exploit the nondeter- 
minism of the machine by randomly picking < fc < 2*^ on each dimension. Note 
that since log(fc) < e, we have len{k) = 0(e) = 0{poly{len{(fi) + len{6))). Let 
a = (ai, a„) be the randomly picked point in S^. Following the above estimate 
of len{k) and len{e) = 0(log(2~'^)) = 0(e), we have len{a) = 0{po\y{len{(p) + 
len{6))). 

Now we evaluate ^(a). With access to the C-oracle specified above, this can 
be done in polynomial-time, as follows. For each gij{a), we query the oracle with 
6{fij,aiu,6/8), where a;„ is a scaled by [li,Ui] on each dimension. This query 
uses O {poly {len{(p) + /en((5)))-space on the query tape. The oracle then return 

the value of fij{aiu) ^ = Qijio,) ^ , and since C C PSPACE, len{gij{a) ^ ) is 
polynomial in the input. Next we evaluate each atom by comparing these val- 
ues obtained from the oracle with d/2. This uses time 0(poly(/en(iyj) + len{5))). 
Finally, if ij{x) is true, we return ^-sat. Thus the problem is decided in nonde- 
terministic polynomial-time using access to the C-oraclc. We can conclude that 
the 5-SMT problem for a uniformly bounded class is in NP*-. □ 

Remark 3.1. The restriction of a uniformly bounded class of formulas is a tech- 
nical one. For a class of formulas of interest, we can always choose a rich enough 
F that contains the compositions we need, and a loose enough uniform bound 
on the variables. 

We can now obtain a precise characterization of the complexity for (5-SMT 
problems in signatures of interest. Recall that most common functions, such as 
polynomials, exp, sin, are all P-computable and Lipschitz-continuous ODEs are 
PSPACE-complete. 

Corollary 3.1. LetT be a finite set ofP-time computable real functions, such as 
{+, X, exp, sin}. The uniformly-bounded 5 -SMT problem for jCjr is HP -complete. 

Proof. Since the functions in F are P-timc computable, the (5-SMT problem is 
in NP'^ = NP. We only need to encode Boolean satisfiability for hardness. We 
need to be careful that no negations can be used. For any propositional formula 
4>{pi, ...,Pn), substitute pi by < and -^pi by Xi > 1. and add {xi = OVxj = 1) 
as a clause to the formula. Add the quantifiers Ejl^^'^lx^ for each Xj. Then for 
any 5 < 0.5, (j) is satisfiable ifi^ the translation is J-true, and unsatisfiable iff the 
translation is false. Note that the cases do not overlap. □ 

Corollary 3.2. Let J- be a finite set of Lipschitz-continuous ODEs over compact 
domains. Then the uniformly-bounded 6 -SMT problem in Lj: is in PSPACE, and 
there exists Cjr such that it is PSPACE-complete. 



Proof We have NP^^'''^^^ = PSPACE. Since some ODEs are PSPACE-complete 
to solve [21], there exists Cjr for which ^-SMT problem is PSPACE-complete. □ 



4 ^-Completeness of the DPLL(ICP) Framework 



We now give a formal analysis of the integration of ICP and DPLL(T) for solving 
bounded J-SMT. Our goal is to establish sufBcient and necessary conditions 
under which such an integration is (5-coniplete. 

4.1 Interval Constraint Propagation 

The method of Interval Constraint Propagation (ICP) [3] finds solutions of real 
constraints using a "branch-and-prune" method, combining interval arithmetic 
and constraint propagation. The idea is to use interval extensions of functions 
to "prune" out sets of points that are not in the solution set, and "branch" on 
intervals when such pruning can not be done, until a small enough box that may 
contain a solution is found. A high-level description of the decision version of 
ICP is given in Algorithm 1 and we give formal definitions as follows. 

Definition 4.1 (Floating-Point Intervals and Hulls). Let F denote the fi- 
nite set of all floating point numbers with symbols —oo and +oo under the con- 
ventional order <. Let IF = {[a,b] C M : o, 6 e F, a < 6} denote the set of 

closed real intervals with floating-point endpoints, and BF = IJri=i '^f 
boxes with these intervals. Let S CM. be any set of real numbers, the hull of S 
is written as Hulls') = G IF : 5 C 7}. 

For I = [a, b] G IF, we write |/| = \b — a\ to denote its size. 

Definition 4.2 (Interval Extension (of. [3])). Let f :C W ^ R be a real 
function. An interval extension operator jj(-) maps f to a function jj/ :C BF 
IF, such that e BF n dom(ii/), {f{x) : x G B} C U{B). 

Example 4-1- The natural extension of / = 2-(.x'+y)-2 is given by jJ/ = [2,2]-(I.j.+ 
Iy)-Iz, where the interval operations are defined as [ai, 6i] + [a2, 62] = [01+02, 61 + 
62] and [fli, 61] ■ [02, 62] = [min(aia2, 0162, &ia2,&i62),max(aia2, 0162,^102, 6162)]- 

In Algorithm 1, Branch(i?,i) is an operator that returns two smaller boxes 
S' = 7i X ■ • • X 7^ X • • ■ X 7„ and B" = 7i X • • • X 7f X ■ • • X 7„, where li C 7^ U7f . 
To ensure termination it is assumed that there exists some constant < c < 1 
such that c • < |7;| and c • < |7^'| for aU i. 

The key component of the algorithm is the Prune(B, /) operation. A simple 
example of a pruning operation is as follows. 

Example 4- 2. Consider x — = with initial intervals .x £ [1, 2] and y <= [0,4]. 
Let fif{Ix,Iy) = Ix — ly be the natural interval extension of the left hand side. 
Since we know ^ )i/([l,2], [2,4]), we can contract the interval on y from [0,4] 
to [0, 2] in one pruning step. 

In principle, any operation that contracts the intervals on variables can be seen 
as pruning. However, for correctness we need several formal requirements on the 
pruning operator in ICPe. 



Algorithm 1: High-Level ICPg (decision version of Branch-and-Prune) 



input : Constraints fi{xi, 



Xn) = 0, ... 

box stack S ■ 



B» = J? X • • 
output: sat or unsat. 

S'.pusli(B„); 
while 5 / do 
B ^ S.popO ; 

while 31 <i<m,B^ Prune(B, /,) do 

I B ^ Prune(B,/i) ; 
end 

if B / then 

if 31 < i < n, \Ii\ > £ then 
{Bi,B2} Branch(S,i); 
5.push({Bi,S2}); 
else 

I return sat; 
end 
end 

15 end 

16 return unsat; 



fm(xi, ...,x„) = 0, initial box 
■ 0, and precision e € Q"*". 



Notation 4.1 For any f :M." ^R, we write = {a G M" : /(a) = 0}. 

Definition 4.3 (Well-defined Pruning Operators). Let T be a collection 
of real functions, and H be an interval extension operator on T . A well-defined 
(equality) pruning operator with respect to is a partial function Prunej :C 
BF X J" BF, such that V/ e J", B, B' G BF, 

- (Wl) Pnmcs(B, /) C B: 

- (W2) If (Prunej(S, /)) ^ 0, then G tJ/(Prunej(S, /)). 

- (W3) BnZfC Prunett(B, /); 

When tt is clear, we simply write Prune. It specifies the following requirements. 
(Wl) requires contraction, so that the algorithm always makes progress: branch- 
ing always decreases the size of boxes, and pruning never increases them. (W2) 
requires that the result of a pruning is always a reasonable box that may contain 
a zero. Otherwise B should have been pruned out. (W3) ensures that the real 
solutions are never discarded in pruning (called "completeness" in [3]). We use 
Prune(i3, /i, fm) to denote the iterative application of Prunc(-, fi) on B for 
all 1 < i < m, until a fixed-point is reached. (Line 4-6 in Algorithm 1.) 

Proposition 4.1. For all i, Prune{B, fi, /,„) C Prune{B, fi). 

It is clear from the description of Algorithm 1 that the following properties 
hold. 

Lemma 4.1. Algorithm 1 always terminates. If it returns sat then there exists 
nonempty boxes B,B' C Bo, such that \\B\\ < e and B = Prune(B',/i, ...,fm)- 



If it returns unsat then Vo e Bq, there exists B C Bq such that a & B and 
Prune(B,/i,...,/„) = 0. 

Now we prove the main theorem. 

Theorem 4.2 ((5-Completeness of ICP^). Let 5 E (Q+ be arbitrary. We can 
find an s & Q+ such that the ICPg algorithm is 6 -complete for conjunctive Ei- 
sentences in Cj: (where sat is interpreted as (5-satj if and only if the pruning 
operator in ICPe is well-defined. 

Proof. Wc consider an arbitrary bounded existential /Ijr-sentence containing 
only conjunctions, written as </? : 3^x. Al^i /i(^) = 0- Let Bq = I he the initial 
bounding box. 

Since all the functions in Lp are computable over Bq, each fi has a uniform 
modulus of continuity over Bq, which we write as m/-. Choose any S N such 
that 2"*^ < 5. Then for any Si < mf^{k), we have 

yx,y€ Bq, \\x-y\\<ei^ \fi{x) - fi{y)\ < d. (6) 

We now fix e to be any positive rational number smaller than min(ei, Em)- 

By the previous lemma, wc know ICP^ terminates and returns either sat or 
unsat. We now prove the two directions of the biconditional. 

<=: Suppose the pruning operator in ICP^ is well-defined. 

Suppose ICPe returns "S-sai" , then by Lemma 4.1, there exist B,B' C Bq 
such that B = Prune(B', /i, /„) and \\B'\\ < s. Then by the (W2), we know 
that e ^fi{Bn) for every fi. Now, by the definition of s, we know from (6) 
that for every i, Va G B, \fi{a) — 0| < 5. Namely, any a € B is a witness for 
ip^ : 3^x \f{x)\ < S. Thus the (5-weakening of (p is true. 

Suppose ICPe returns "unsat" . Suppose <p is in fact satisfiable. Then there is 
a point a E Bq such that ip{a) is true. However, following Lemma 4.1, a e _B for 
some B C Bq and Prune (i?o, /i, /m) = 0- However, this contradicts condition 
(W3) of the pruning operator. 

=^>: We only need to show that without any one of the three conditions in 
Definition 4.3, we can define a pruning operator that fails 5-completeness. 

Without (Wl), we define a pruning operator that always outputs intervals 
bigger than e (such as the initial intervals). Then the procedure never terminates. 
Note that the other two conditions are trivially satisfied in this case (for any / 
and Bo satisfying e (J/(Bo)). Without (W2), consider the function f{x) = 
with X S [—1, 1]. We can define a pruning operator such that Prune([— 1, 1], /) = 
[1,1]. This operator satisfies the other two conditions. However, the returned 
result [1, 1] fails ^-completeness for any 6 smaller than 2, since /(I) = 2. Without 
(W3), we simply prune any set to and always return unsat. This violates 5- 
completeness, which requires that if unsat is returned the formula must be indeed 
unsatisfiable. The other two conditions are also satisfied in this case. □ 

In practice, pruning operators are defined based on consistency conditions 
from constraint propagation techniques. Many pruning operators are used in 
practice [3]. Following Theorem 4.2, we only need to prove their well-definedness 
to ensure (5-completeness. For instance: 



Definition 4.4 (Box-consistent Pruning [19]). We say ttb : BF x J" IF 

is box-consistent, if for all f ^ T and i? = /i x • • • x /„ C dom(/), the i-th 
interval 0/775(5, /) is h n Hull({ai e M : e ...,Hull({ai}), ...,/„}). 

Proposition 4.2. The Box- consistent Pruning operator is well-defined. 

4.2 Handling ODEs 

In this section we expand our language to consider solutions of the initial value 
problems (IVP) of Lipschitz-continuous ODEs. Let io,^ e M and .9 : M" ^ R 
be a Lipschitz-continuous function, i.e., for all Xi,X2 £ M", \(j{xi) — g{x2)\ < 
c\\xi — X2\\ for some constant c. Let to,T satisfy to < T and yo S M". An 
IVP problem is given by 

= 9{y{t)) and y{to) = Vo, where t G [to,T]. 

where y : [to,T] — > R" is called the solution of the IVP. Consider y{t) as 
{y\{t), ...,yn{t)), then each component j/i : [t,T\ ^ R is a Type 2 computable 
function, and can appear in some signature J^. In fact, we can also regard yo 
as an argument of yi and write yi{to,yo)- This does not change computabil- 
ity properties of j/i, since following the Picard-Lindelof representation y{t) = 
9{y{s))ds + yo, yi{t) is only linearly dependent on yo- 

In practice, with an ICP framework, we can exploit interval solvers for IVP 
problems [26], for pruning intervals on variables that appear in constraints in- 
volving ODEs. This direction has received much recent attention [12, 11, 17, 20]. 

Consider the IVP problem defined above, with yo contained in a box Bt^, C 
R". Let to < ti < ... < tm = T he & set oi points in \tQ,T]. An interval- based 
ODE solver returns a set of boxes Bt^ Bt^ such that 

Vz e {!,..., m}, [yit^;BtJ] = {y{t) ■.to<t< t„yo G By„} C Bt^. 

Now let yi : [to,T] x Bo R he the i-th component of the solution y of an 
IVP problem. Then interval-based ODE solvers compute interval extensions of 
yi. Thus, pruning operators that respect the interval extension computed by 
interval ODE solvers can be defined. It can be concluded from Theorem 4.2 that 
ICPg is (5-complete for equalities involving ODEs, as long as the pruning operator 
is well-defined. A simplest strategy is just to prune out any set of points outside 
the interval extension: 

Proposition 4.3 (Simple ODE-Pruning). Let yi{t,yo) be the i-th compo- 
nent function of an IVP problem. Suppose '^yi is computed by an interval ODE 
solver. Then the pruning operator Prune{I , yi) = I r\'iyi{It, By^) is well-defined. 

4.3 DPLL(ICP) 

Now consider the integration of ICP into the framework of DPLL(T), so that 
the full (5-SMT problem can be solved. Given a formula ip, a DPLL(ICP) solver 



uses SAT solvers to enumerate solutions to the Boolean abstraction ip^ of the 
formula, and uses ICPe to decide the satisfiability of conjunctions of atomic 
formulas. DPLL(ICP) returns sat when ICPe returns sat to some conjunction of 
theory atoms witnessing the satisfiability of ip^ , and returns unsat when ICPe 
returns unsat on all the solutions to ip^ . Thus, it follows naturally that using a 
(5-complete theory solver ICP^, DPLL(ICP) is also 5-complete. 

Corollary 4.1 ((5-Completeness of DPLL(ICP)). Let F he a set of real 
functions. Then the pruning operators in ICPe (ife well-defined for J-", if and 
only if, DPLL{ICP) using ICP^ is S -complete for bounded Si-sentences in Cj^. 

Proof. Let ip he a, bounded SMT problem 3^ x f\^\J ^ fij{x) = 0. Its Boolean 
abstraction ip^ is given by /\ ■ \/ ■ Pij , where pij is the propositional abstraction 
of fij{x) = 0. 

Choose e to satisfy that Vtc, y e I\fij{x) — fij{y)\ < S for all that appear 
in the (p. 

Now, in the DPLL(T) framework, the SAT solver returns an assignment to Pij 
such that (p^ evaluates to true, then ICPe is used for checking the satisfiability 
of the corresponding conjunction of theory atoms. It is important to note that 
ip^ does not contain negations. 

Suppose the pruning operator in ICPg is well-defined. Then ICPg is (5-complete. 
Now, suppose DPLL(ICP) returns sat. Then (p^ is true witnessed by a set 
{pi,...,Pm} assigned to true, which in turn corresponds to a set {fi{x) = 
0, fm{x) = 0} of the theory atoms. By (^-completeness of ICPg, we know 
that p^ is true. On the other hand, suppose p is decided as unsat. Then cither 
there is no assignment such that (p^ is true, or for each satisfying assigment 
to (p^ , ICPe decides that the corresponding set of theory atoms is not satisfi- 
able. By J-completeness of ICPe, the unsat answers are always correct. In all, 
DPLL(ICP) is also 5-complete. 

Suppose the pruning operator in ICPe is not well-defined, then DPLL(ICP) is 
simply not (5-complete for conjunctions of theory atoms, and thus not ^-complete 
for bounded SMT in Cj^. □ 

5 Applications 

(5-Complete solvers return answers that allow one-sided, J-bounded errors. The 
framework allows us to easily understand the implications of such errors in prac- 
tical problems. Indeed, (5-complete solvers can be directly used in the following 
correctness-critical problems. 

Bounded Model Checking and Invariant Validation. Let S — (X, In it. Trans) be 
a transition system over X, which can by continuous or hybrid. Then given 
a subset U C X, the bounded model checking problem asks whether ipn := 
3xo, ...,Xn{xQ A Trans{xi,Xi-^-l) A Xn G U) is true. Here U denotes the 

"unsafe" values of the system, and we say S is safe up to n if (pn is false. 
Thus, using a (5-complete solver for (p>n, we can determine the following: If ipn 



is unsat, then S is indeed safe up to n; on the other hand, if (pn is J-sat, then 
either the system is unsafe, or it would be unsafe under a (5-perturbation, and a 
counterexample is provided by the certificate for 5-sat. This 6 can be set by the 
user based on the intended tolerance of errors of the system. Thus, a J-complete 
solver can be directly used. 

For invariant validation, a proposed invariant Inv can prove safety if the 
sentence <f := Vcc, £c'((lnit(a;) — > \m{x)) A (lnv(a;) A Trans(a;, a;') lnv(a;')) A 
\m{x) — > -i([/(a;))) is true. We then use a (5-complctc solver on —up, which is 
existential. When unsat is returned, Inv is indeed an inductive invariant proving 
safety. When S-sat is returned, either Inv is not an inductive invariant, or under 
a small numerical perturbation, Inv would violate the inductive conditions. 

Theorem Proving. For theorem proving, one-sided errors are not directly useful 
since no robiistncss problem is involved. We can still approach a statement ip 
by making (5-decisions on -i(yj, and refine S when needed. Starting from any S, 
whenever unsat is returned, ip is proved; when ^-sat, we can try a smaller 6. This 
reflects the common practice in proving these statements. 

6 Conclusion 

We introduced the notion of "tJ-complcte decision procedures" for solving SMT 
problems over real numbers. Our aim is to provide a general framework for solv- 
ing a wide range of nonlinear functions including transcendental functions and 
solutions of Lipschitz-continuous ODEs. (5-Complctencss serves as a replacement 
of the conventional completeness requirement on exact solvers, which is impos- 
sible to satisfy in this domain. We proved the existence of ^-complete decision 
procedures for bounded SMT over reals with Type 2 computable functions and 
showed the complexity of the problem. We use (5-completeness as the standard 
correctness requirement on numerically-driven decision procedures, and formally 
analyzed the solving framework DPLL(ICP). We proved sufficient and necessary 
conditions for its ^-completeness. We believe our results serve as a foundation 
for the development of scalable numerically-driven decision procedures and their 
application in formal veriflcation and theorem proving. 
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